HHS has issued a prepublication copy
of modifications to the HIPAA rule required by the HITECH Act and GINA,
together with some additional modifications to HIPAA to enhance its workability
and effectiveness. The official copy of
the four final rules will be published on January 25th. In
issuing the rules, HHS states that it is unable to give a complete cost/benefit
analysis, because of the impossibility of monetizing individuals’ privacy and
dignity. The final rules’ effective date
is March 26, 2013, and full compliance by covered entities and business
associates is required 180 days later (by September 23, 2013); HHS also
emphasizes that in the future it will impose the 180-day compliance period for
new or modified HIPAA standards. This
rulemaking does not address either accounting for disclosures or the HITECH Act
requirement to develop a methodology to distribute penalties to individuals
harmed by HIPAA violations.

Here are some highlights (of more than 500 pages) of the
changes:

The first rule contains modifications to the HIPAA rules
required by the HITECH Act. Business
associates of covered entities are made directly liable for compliance with
some HIPAA rules. The use and disclosure
of protected health information (PHI) for marketing or fundraising is made more
difficult, and the sale of such information is prohibited without individual
patient authorization. The final rule
also implements individuals’ rights under the HITECH Act to receive electronic
copies of their health information, requires modifications of privacy notices,
modifies individual authorization requirements for proof of childhood
immunizations and for information concerning decedents, and adopts additional
HITECH Act enforcement requirements.

Included in this first rule are a number of provisions about
the definition of business associate.
One is the addition of patient safety activities as a function giving
rise to a business associate relationship.
Health Information Organizations (including exchanges and RHIOs),
e-prescribing gateways, other facilitators of data transmission, and vendors of
personal health records also are included as business associates. HHS did not provide a definition for Health
Information Organization, noting that the types of entities undertaking this
role continue to evolve. HHS also stated
that whether a personal health record vendor offers a PHR “on behalf of a
covered entity” is a fact-specific enquire; however, vendors establishing
electronic means for a covered entity to send information on patients’ requests
are not thereby business associates. The
final rule also specifies that “subcontractors” of business associates in the
sense of entities delegated functions for covered entities by the business
associate are business associates—whether or not they have entered into actual
subcontractor relationships.
“Researchers” are not business associates, even if they have
identifiable health information, unless they perform functions that fall within
the definition of business associate, such as creating a de-identified data
set.

Privacy advocates may be concerned to learn that HHS decided
to retain the provision that PHI does not include information about individuals
who have been deceased for more than 50 years.

The second rule implements the tiered civil money penalty
structure for HIPAA violations provided by the HITECH Act. This penalty structure has functioned under
an interim final rule issued in October 2009.
This rule includes clarifications of how HHS will cooperate with the FTC
and other federal and state agencies on enforcement. It also modifies the definitions of
“reasonable cause” for noncompliance and of “willful neglect,” in order to
implement the tiered penalty system. The
final rule retains the position in the interim final rule that it is within the
Secretary’s discretion to impose the maximum statutory penalty for actions
within any of the tiers. The rule also
reaffirms methods of calculating the number of violations: each individual, and each day, counts as a
separate violation.

The third rule implements the HITECH Act’s breach
notification requirements. Most
importantly, it replaces the requirement of “harm” with an objective standard,
supplanting the interim final rule issued in August 2009.

Fourth, the GINA requirement that health plans may not use
or disclose genetic information for underwriting purposes is now incorporated
into the HIPAA privacy rule. This NPRM
was published in October 2009. An area
of contention following the NPRM was whether the GINA protections should be
extended to all plans covered by the Privacy Rule—including importantly long term
care plans—or whether the protections should extend only to those plans covered
by GINA. The final rule extends coverage
to all plans covered by the Privacy Rule except
long term care plans; these plans successfully made the case to HHS that more
information was needed about the likely impact of imposing the GINA
prohibitions on the long term care market. HHS plans further study of the issue, perhaps
with the National Association of Insurance Commissioners.

Another important provision in the GINA rule is the
definition of what it is for a condition to be “manifested”—and thus not
covered by the GINA protections.
“Manifested” conditions are those that have been or could reasonably
have been diagnosed by a health care professional with appropriate training and
expertise. Conditions are “manifest” if signs or symptoms are present,
even though the condition is diagnosed primarily through a genetic test.